commit: 08aad29b034c7ddc8613de9164b89529aad73978 Author: Sam James <sam <AT> gentoo <DOT> org> AuthorDate: Sun Oct 5 18:48:03 2025 +0000 Commit: Sam James <sam <AT> gentoo <DOT> org> CommitDate: Sun Oct 5 18:48:41 2025 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=08aad29b
profiles: drop old xz-utils backdoor masks I don't think they serve much purpose at this point. We had the mask there for over a year and a half, we had a GLSA for it, and Gentoo fortunately wasn't impacted anyway in the end. Obviously all affected versions/packages are long gone too. Bug: https://bugs.gentoo.org/928134 Signed-off-by: Sam James <sam <AT> gentoo.org> profiles/package.mask | 19 ------------------- 1 file changed, 19 deletions(-) diff --git a/profiles/package.mask b/profiles/package.mask index 05f752ab2d83..ddae92c83fbb 100644 --- a/profiles/package.mask +++ b/profiles/package.mask @@ -578,25 +578,6 @@ app-emulation/virtualbox-kvm # The symbol versioning "fix" breaks anything built with 3.0.0. >=dev-libs/libassuan-3.0.1 -# Sam James <[email protected]> (2024-03-28) -# Newer 5.4.x releases were signed by a potentially compromised upstream maintainer. -# There is no evidence that these releases contain malicious code, but masked -# out of an abundance of caution. See bug #928134. -sec-keys/openpgp-keys-jiatan -~app-arch/xz-utils-5.4.3 -~app-arch/xz-utils-5.4.4 -~app-arch/xz-utils-5.4.5 -~app-arch/xz-utils-5.4.6 - -# Sam James <[email protected]> (2024-03-28) -# Backdoor discovered in release tarballs. DOWNGRADE NOW. -# https://www.openwall.com/lists/oss-security/2024/03/29/4 -# https://bugs.gentoo.org/928134 -~app-arch/xz-utils-5.5.1_alpha -~app-arch/xz-utils-5.5.2_beta -~app-arch/xz-utils-5.6.0 -~app-arch/xz-utils-5.6.1 - # Sam James <[email protected]> (2023-12-14) # Gentoo's kernel maintainers have decided to discontinue gentoo-sources and # gentoo-kernel for old kernel LTS branches because of the resources to require
